Vitaly Zaitsev via devel wrote: > We're talking about potentially hacked accounts, right? In this subthread I'm talking about *preventing* account takeovers so that they don't happen in the first place. One specific method of takeover that the Fedora Project would be able to prevent. I thought the quote I posted was perfectly clear. Evidently it wasn't. Allow me to explain the scenario step by step: Step 1: J. Doe joins the Fedora Project using a working email address, j.doe@xxxxxxxxxxx. J. Doe gets sponsored and makes some packages. All is well so far. Step 2: Much later, the holder of example.net stops paying the renewal fee. The registry removes the domain from DNS. j.doe@xxxxxxxxxxx ceases to exist. J. Doe forgets to update the address in their Fedora account. This has happened to 2818 NPM accounts according to the article I quoted. It can happen to Fedora accounts too. Possible step 3: A program on a Fedora Project server notes that example.net has been deactivated. The program removes the address j.doe@xxxxxxxxxxx from J. Doe's account, or disables sending to the nonexistent address. Question: Does step 3 happen? I suspect that this program doesn't exist. I haven't seen any mentions of it. Step 4: The quarantine period ends. The registry releases example.net for registration. Step 5: Malicious Mallory registers example.net, sets up a mail server and configures the alias "j.doe". Suddenly j.doe@xxxxxxxxxxx exists again, but now this address quite legitimately belongs to Mallory. Step 6: Mallory enters J. Doe's username into https://accounts.fedoraproject.org/forgot-password/ask and clicks on "Send". Branch 6A: If step 3 was not done, then a passphrase reset email is sent to j.doe@xxxxxxxxxxx and is received by Mallory. Mallory takes over J. Doe's account and replaces any SSH and OpenPGP keys with his own. Malicious Mallory is now a Fedora packager in the name of J. Doe, and is empowered to insert malware into J. Doe's packages. Branch 6B: If step 3 was done, then no passphrase reset email is sent. Mallory's attack fails. Step 7: J. Doe tries to log in. Branch 7A: If step 3 was not done, then none of J. Doe's credentials work anymore. Mallory has control of the account and J. Doe is locked out. Branch 7B: If step 3 was done, then the account still belongs to J. Doe. The account system tells J. Doe to enter a new email address. The system sends a verification code to this new address. This is not a passphrase reset. It's an email address verification code, which J. Doe must paste into the web interface while logged in, to prove that the address belongs to the right person. After the new address is verified, J. Doe's account works normally again. Note that Mallory must do step 5 before step 6 for the attack to work, and the registry won't allow step 5 to happen before step 4. Therefore doing step 3 before step 4 ensures that step 6 cannot happen before step 3. That way the Fedora Project could reliably prevent this kind of attack. I hope this explanation is clear enough to be understood. In case of TL;DR, the short version is four posts upthread from here. So, does step 3 exist? Björn Persson
Attachment:
pgpDU5mS0_xTG.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure